Tag Archives: marks

Should We Take This Risk?

  • Who takes risk?
  • Who decides whether the risk should be taken?
  • How do they know what the desired level of risk is?
  • How do senior management and the board obtain assurance that the right risks, at the right level, will be taken?

These are important questions, and every risk (and audit) practitioner should understand the answers.

Richard Anderson and I will be taking these on in April and May, and you are invited to join us. Details are at riskreimagined.com.

Taking the first one first: Who takes risk? The correct answer is “everybody”: everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.

In general, the organization’s structure and delegation of authorities dictates who should be making which decision, who should review and approve that decision and what limitations are put on the “value” or magnitude of that decision.

In other words, the normal approval hierarchy established in any organization typically determines who makes which decision – and therefore who takes which risk.

Some people consider risk as static, the possibility of an event or situation that could affect an objective or two. But our world is anything but static; the environment in which we operate changes all the time, as regulators, markets, customers, vendors and other factors change. Our own organization also changes, as employees leave or join, get promoted, change their minds or intentions, feel differently about their or the company’s prospects, develop new products, retire old products, change pricing and so on.

So, risks are being taken all the time in an environment that is changing all the time.

The normal approval structure will also dictate who decides whether the risk should be taken. The decision maker is the person charged with making that decision, subject to review and approval.

The decision maker will normally weigh all the options, given the information available to her, and try to make an informed, intelligent decision. If there are risk-reward trade-offs, they will be considered in the decision-making process.

But how does the decision-maker know how much risk he should be taking? How does he know whether the risk level for the organization as a whole will now exceed the levels approved by more senior management and the board?

In fact, how do people know how their decisions will affect others, which objectives at the enterprise level might be affected and what the desired levels of risk to those objectives are?

For example, if you consider a recruiter in the HR department who is vetting candidates, prior to their being considered by the hiring manager, does he really know how his decisions on which to take forward will affect the organization?

Does he realize how much value and impact an individual with additional experience will bring to the sales operation, or how a lack of familiarity with ethical practices could increase compliance risk?

Does he understand that a major IT initiative might suffer if he delays a decision on which IT specialist candidates to consider? The risk may be to objectives in IT and in the objectives of the IT function’s customer – the one affected by the delay in completion of the project, or even the possibility of a failure of the project.

There are ways to address these issues that center on communication and collaboration. In the recruiting example, it is incumbent on both IT and HR to ensure the hiring urgency is understood and the value of different levels of experience and technical talent is appreciated and informs the recruiter’s decisions. Similarly, it is up to the IT customer to convey to the IT team the value of the IT project and the various risks (i.e., the effect on their and others’ objectives) should the project fail or be delayed.

Setting acceptable levels at board or top management is not the answer; it may be part of the answer, maybe even a significant part of the answer, but every decision maker needs to know what is desired at her level, and it is impractical to believe that the enterprise risk appetite statement can be translated and cascaded down in a useful and actionable way to every individual actually taking the risks.

In addition, in a dynamic world, desired levels of risk are (or at least should be) changing dynamically.

In some cases, more granular risk criteria can be defined – but, again, not for every single decision.

No, risk is taken and must be taken by individuals at all levels across the entire enterprise. If you want them to take the right risk at the right level, they must be informed and trained in the consideration of risk – and not just the risk to their personal or team objectives, but the effect on others and, eventually, how that can affect enterprise objectives.

Senior management should help by ensuring the people on their team get that decision-making training, with the help as needed of the risk officers.

How, then, do the board and senior management know that the right risks at the right levels are and will be taken? It’s not possible to be certain that they will be taken. Perfect assurance is not possible, as decision makers are human, and they will make mistakes even when all the information is available and they have taken all the required training.

Only reasonable assurance can be obtained.

A few things contribute to obtaining that reasonable assurance:

  • Care and attention to the decision-making process, ensuring that decision makers consider what might happen as an integral element in that process: what needs to go right as well as what could go wrong.
  • Care and attention to the “risk management process/framework/whatever-you-want-to-call-it,” thinking through how desired levels of risk are defined and communicated, the appropriate review and approval process, how people are provided the information they need to make risk-informed decisions and so on.
  • The objective assessment by management (and the chief risk officer) of that risk management process – an honest assessment of whether it provides the necessary assurance and whether it is delivering the value to the organization it should by improving the quality of decisions. I think this assessment should be shared formally with the board.
  • Careful monitoring, after the fact, of actual risk levels and determining what failed when risks exceed desired levels.
  • An independent and objective assessment of the enterprise’s management of risk by the internal audit function.

This is a quick essay on the topic, which is complex and tough to achieve in practice. I welcome your thoughts and hope to discuss it further with you in April or May.

risks

Why Do Some Take Risks, Others Not?

Every time you breathe, you take a risk. But, usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.) Every time you make a decision, you take a risk; we take risk all the time, in pretty much every facet of our personal and professional lives.

But, when faced with the same situation, people will act differently from one another. A person may assess the risk differently from someone else. He may make a different decision regarding whether the risk is acceptable and which fork in the road he should take to address it.

In risk management, it’s fine to have defined risk criteria or appetite statements, but these rarely cover every decision a manager has to make. So, the manager has to make a decision based on what she thinks is best.

A number of experts will point to risk culture as the answer to this variance in decision-making. The experts seem to believe that some organizations are more risk-averse than others. But organizations are composed of people—different people in leadership roles with different backgrounds, experiences and biases. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude toward risk.

For example, on whether to select vendor A, B, C or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for that vendor. Manager Z may have lived through a disastrous experience where a sole-source vendor failed, so she will opt for a combination of two or more vendors. Manager Y may have just suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Even something such as a state of mind can influence a risk decision.

It’s not only that different people make different decisions in the same situation but that each person may make different decisions at different times. This is important because, as risk professionals, we want decision-makers to only take the level of risk that top management and the board desires.

To have consistent decisions on risk, we need to know the temperature and overall health of the organization and its decision-makers. We need to answer these questions:

  • Who are we relying on to take the risks that matter most to the organization’s success?
  • How can we obtain assurance that they understand the desired level of risk?
  • How can we obtain assurance that they will act as we desire?
  • How will we know when their risk attitude changes?

A survey will, perhaps, give you a moment-in-time view. However, people change. Managers and executives leave, new ones join and people’s perspective and desire to take risk changes, especially if they see their compensation or termination is likely to be affected by their decision.

This is a complex issue that risk professionals need to understand and assess within, and across, their organization.

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.

In the meantime, how do you address this variability? How do you know that your decision-makers will take the desired level of risk?

Integrating Strategy, Risk and Performance

While many (including me) talk about the need for integrating the setting and execution of strategy, the management of risk, decision-making and performance monitoring, reporting and management, there isn’t a great deal of useful guidance on how to do it well.

A recent article in CGMA Magazine, 8 Best Practices for Aligning Strategy, Planning and Risk, describes a methodology used by Mass Mutual that it calls the “Pinwheel.”

There are a number of points in the article that I like:

  • “Success in business is influenced by many factors: effective strategy and execution; deep understanding of the business environment, including its risks; the ability to innovate and adapt; and the ability to align strategy throughout the organization.”
  • “The CEO gathers senior corporate and business unit leaders off-site three times a year. As well as fostering transparency, teamwork and alignment, this ensures that the resulting information reaches the board of directors in time for its meetings….The result: The leadership team is more engaged in what the company’s businesses are doing, not just divisional priorities. This makes them more collaborative and informed leaders. This helps foster a more unified brand and culture across the organization.”
  • “A sound understanding of global business conditions and trends is fundamental to effective governance and planning.”
    Comment: Understanding the external context is critical if optimal objectives and strategies are to be set, with an adequate understanding of the risks inherent in each strategy and the relative merits of every option.
  • “Strategy and planning is a dynamic process, and disruptive innovation is essential for cultural change and strategic agility. Management and the board must continually consider new initiatives that may contribute to achieving the organization’s long-term vision and aspirations.”
  • Key risk indicators are established for strategies, plans, projects and so on.
  • “Evaluation and monitoring to manage risks and the overall impact on the organization is an ongoing process….Monitoring is a continuous, multi-layered process. In addition to quarterly monitoring of progress against the three-year operating plan and one-year budget, the company has initiated bottom-up ‘huddle boards’ that provide critical information across all levels of the organization.”
  • “Effective governance requires a tailored information strategy for the executive leadership team and the board of directors…. This should include: essential information needed to monitor and evaluate strategic execution of the organization; risks to the achievement of long-term objectives; and risks related to conforming to compliance and reporting requirements.”
  • “Integrating the ERM, FP&A and budget functions can help to manage risks effectively and to allocate limited capital more quickly and efficiently.”

I am not familiar with the company and its methodology, but based on the limited information in the article I think there are some areas for improvement:

1. Rather than selecting strategies and objectives and only then considering risk, the consideration of risk should be a critical element in the strategy-selection process.

2. The article talks about providing performance and risk information separately to the corporate development and risk functions. Surely, this should be integrated and used primarily by operating management to adjust course as needed.

3. I am always nervous when the CFO and his team set the budget and there is no mention of how operating management participates in the process. However, it is interesting that the risk function at Mass Mutual is involved.

What do you think? I welcome your comments.

How to Evaluate the External Auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them — especially chief audit executives (CAEs), CFOs and general counsel.

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each) and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of audit firms to detect serious issues (fortunately few, but still too many – the latest being the FIFA scandal) and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I said there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the corporate controller and the entire financial reporting team. I said that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the treasurer and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this situation. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO, whose policy it had been not to hire CPAs) to have the issue addressed promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why; whether he agreed with my assessment of the issue; why the firm had not identified this as a material weakness or significant deficiency in prior years; or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

12 Questions for Managing Cyber Risk

Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list:

How do you identify and assess cyber-related risks?

Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?

How do you evaluate the risk to know whether it is too high?

How do you decide what actions to take and how much resource to allocate?

How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?

How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?

Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?

How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?

Can you respond appropriately at speed?

What procedures are in place to notify you, and then the board, in the event of a breach?

Who has responsibility for cybersecurity, and do they have the access they need to senior management?

Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.